This week’s big news is a rash of data breaches at LinkedIn, eHarmony, and Last.fm that exposed millions of account passwords, and probably other data that the attackers haven’t made public. So we have the obligatory links to cover those stories, but also a wealth of interesting new and updated tools. Among these are HexDive, SquirrelGripper, ShadowKit, and a Report Writing cheat sheet from Girl,Unallocated. Also worthy of particular note is Corey Harrell’s Compromise Root Cause Analysis Model in the Good Reads section. There’s a lot of good stuff to take in this week, especially in the Tools and Good Reads categories, so please read on!
If you have an item you’d like to contribute to Digital Forensics Case Leads, please send it to firstname.lastname@example.org.
Your Password Is Out There:
Last week’s edition of Case Leads was on fire with news about the Flame malware. This week brings us a rash of compromises leaking millions of passwords as LinkedIn, eHarmony, and Last.fm fall victim to hackers. The leak of these password hashes revealed serious security fail, showing that these sites (and probably others) are storing their customers’ credentials and other confidential data insecurely.
- Heise Security: Password Leaks Bigger Than First Thought
- Heise Security – Comment: LinkedIn and its password problems
- Data Breach Today: LinkedIn Has Neither CIO nor CISO – seriously?
- LinkedIn Blog: Taking Steps to Protect Our Members – Details about the breach are sparse here, as with the other companies, and I certainly hope they know more than they are revealing at present (like whether the attack has been contained).
- The Register: LinkedIn Users Buried In Spam After Breach
- Cybercrime Review: LinkedIn’s Negligence In Failing to Adequately Secure User Passwords
- eHarmony Blog: Updates On Ongoing Efforts To Protect Our Members
- The Register: Dating Site eHarmony Plays Data-breach Me-too
- Last.HQ: An Update on Last.FM Password Security –
- The Register: Last.fm tell users to change passwords IMMEDIATELY –
- Process Explorer 15.2 was released. This version integrates AutoRuns functionality and introduces a graphical process timeline, among other cool changes.
- ShadowKit by David Dym is a relatively new tool for accessing/recovering Volume Shadow Copies. I haven’t had an opportunity to try this yet, but it sounds promising. (Thanks to Rob Dewhirst for bringing this one to our attention.)
- Melia Kelley (Girl, Unallocated) recently posted an excellent Report Writing cheat sheet over on her blog. Many times, and in many locations, new and aspiring forensicators have posted queries in search of guidance in this critical area. Melia’s cheat sheet is an easy visual guide to help with the process.
- Hexacorn Ltd has released HexDive v0.1 (download link at bottom of post). HexDive is aptly subtitled the “Intelligent String Extractor.” It aims at bringing some intelligence to the extraction of strings from binary files, and though it’s early in development, succeeds quite well. The first layer of that intelligence is that it filters out the garbage strings that one usually encounters when dumping strings from a binary. That alone is worthwhile for accelerating analysis, but HexDive goes a step further by classifying the type of string found. This classification is still a work in progress, but very cool. During a Twitter conversation with the author, he mentioned that HexDive currently misses URL strings, and it’s possible it will miss other salient artifacts. But it’s quite handy for such a new tool, and needs to be encouraged. If you try it and notice particular string artifacts that it’s missing, please let the author know.
- A Perl Script Plays Matchmaker with ExifTool and SQLite – Cheeky4n6Monkey has developed SquirrelGripper (you have to read this just for the explanation of the name!), a Perl script that sends ExifTool output to a SQLite database for easier analysis.
- Jesse Kornblum recently released md5deep 4.1.1 and ssdeep 2.8 to fix bugs in those tools.
- AccessData released FTK 4.0.2, which includes support for the new EX01 evidence format, as well as decryption support for YAFFS 1 & 2 and iOS. See the Release Notes(PDF) for full change list.
- Jason Fossen recently posted Windows Exploratory Surgery with Process Hacker over on the SANS Windows Security Blog. There, he makes available the PDF version of slides he’s used in recent presentations by the same title. However, I use the term “slides” loosely; the PDF contains 36 pages of excellent text that cover key Windows details in the context of malware analysis.
- The Consortium of Digital Forensics Specialists (CDFS) posted an update on their work in progress earlier this week. The organization is still young, and much of its work is still behind the scenes, but the stuff they are working on is well worth keeping an eye on.
- Corey Harrell posted his Compromise Root Cause Analysis Model, which is both a process and a way of thinking that can go a long way toward helping to answer the key questions “How did a compromise occur?” and “When did it occur?”
- SC Market Scope: The high risk of lower data breach costs – Interesting position, but I’m not convinced that data breach costs heavily influence a company’s security posture in either direction. My suspicion is decisions about security and risk are more heavily influenced by less rational factors such as perception and attitude.
- ArsTechnica: Microsoft Contains Flame with Windows Update Revamp
- Audio Engineering Society Audio Forensics – Denver, CO – June 14 – 16, 2012
- 24th Annual FIRST Conference – Malta – June 17 – 22, 2012
- Sans Forensics and Incident Response Summit – Austin, TX – June 20 – 27, 2012
- SANS Canberra 2012 – Canberra, Australia – July 2 – 10, 2012
- SANSFIRE 2012 – Washington, DC – July 6 – 15, 2012
- Symposium On Usable Privacy and Security (SOUPS 2012) – Washington, DC – July 11 – 13, 2012
- BLackhat USA – Las Vegas, NV – July 21 – 26, 2012
- DEF CON 20 – Las Vegas, NV – July 26 – 29, 2012
- Sans San Francisco 2012 – San Francisco, CA – July 30 – Aug 06, 2012
- DFRWS 2012 Conference – Washington, DC – Aug 05 – 08, 2012
- SANS Boston 2012 – Boston, MA – Aug 06 – 11, 2012
- USENIX Security ’12 – Bellevue, WA – Aug 06 – 10, 2012
- 7th USENIX Workshop on Hot Topics in Security (HOTSEC ’12) – Bellevue, WA – Aug 07, 2012
- 2012 Malware Technical Exchange Meeting (Security Clearance Required) – El Segundo, CA – Aug 14 – 16, 2012
- 7th ARES conference (ARES 2012) – Prague, Czech Republic – Aug 20 – 24, 2012
- First International Workshop on Security Ontologies and Taxonomies (SecOnT 2012) – University of Economics, Prague, Czech Republic – Aug 20 – 24, 2012
- SANS Virginia Beach – Virginia Beach, VA – Aug 20 – 31, 2012
- SANS Crystal City – Arlington, VA – Sep 06 – 11, 2012
- European Symposium on Research in Computer Security – Pisa, Italy – Sep 10 – 12, 2012
- 15th International Symposium on Research in Attacks, Intrusions and Defenses – Vrije Universiteit, Amsterdam, The Netherlands – Sep 12 – 14, 2012
- HTCIA International Conference & Training Expo – Hershey, PA – Sep 16 – 19, 2012
- SANS Network Security 2012 – Las Vegas, NV – Sep 16 – 24, 2012
- VirusBulletin 2012 – Dallas, TX – Sep 26 – 28, 2012
- GrrCon – Grand Rapids, MI – Sep 27 – 28, 2012
Call For Papers:
- Third ICST International Conference on Digital Forensics and Cyber Crime – Due Jun 12, 2012
- The Evidence Conference – Due Jun 15, 2011
- IEEE International Workshop on Information Security and Forensics – Due Jun 24, 2012
- International Computer Science and Engineering Conference – Due Jun 30, 2012
- DoD Cybercrime Conference 2013 – Due July 6, 2012
- 7th International Conference on Legal, Security and Privacy Issues in IT Law – Due Aug 25 , 2012
- 2012 secau Security Congress – Due Sep 30, 2012
Digital Forensics Case Leads is a (mostly) weekly publication of the week’s news and events relating to digital forensics. If you have an item you’d like to share, please send it to email@example.com.
Digital Forensics Case Leads for 20120609 was compiled by Gregory Pendergast, forensicator, incident handler, and jack-of-all-security at Virginia Commonwealth University. Greg also contributes book and product reviews to Digital Forensics Magazine and InfoSecReviews.com.